On Tue, 2022-01-25 at 16:34 -0600, Richard Laager wrote: > > At least not quickly... AFAIU it should still be able to slowly > > change > > my time, over time. > > I don't see how that's possible. Eventually that single server will > tick > too far outside of the consensus window and be excluded as a > falseticker.
I meant for the case when people don't use the pool... or maybe they use a pool, which is under the single control of one group. > To give you a real example of this... At $DAYJOB a week ago, one of > my > NTP servers has a PPS input from a telecom GPS clock. This clock > failed; > specifically it started outputting bad time (ticking at the wrong > rate, > as opposed to stopping outputting time entirely). ntpd followed this > for > a bit, making it look like the other sources all went insane > simultaneously. After a few minutes (of elapsed time, not of time > drift!), the error was bad enough that ntpd realized the PPS was > insane, > stopped following it, and followed the consensus of the other sources > back to sanity. And this was with the PPS source marked "prefer". I'm > not sure if anyone kept the graphs, but the error was us or ms, not > even > seconds, much less your example of 3 minutes. But then you have a pool configured, right? Didn't you mention in some readme (or was that somewhere else?) that there is not yet a pool just for NTS supporting sources? > Yes, they could. And someone (USNO, I think) had a bug a couple years > ago where they did serve bad time. But if you have multiple sources, > as > you should, then you have protection against this. For example, I get > my > time from 8 sources, two with old style authentication and 1 with > NTS. Ah here you answer it already. Okay it get's awkward now, but even such a situation (with a pool) might probably be attackable (blocking attack). Consider a powerful attacker who a) runs a clocksource one trusts and b) can block traffic to any other sources in the pool one uses? Does NTP(sec) complain eventually (like too many sources not answering, something is fishy)... or would it just happily continue with the one (then evil) source? > The default configuration uses the pool, so there too, a single > source > cannot cause one to accept bad time at boot even with -g. Okay there I don't know enough about NTP, how that actually works (i.e. does it even then already use multiple sources... or would it just pick one of them). But as I understand you... it would even then already use and compare multiple sources. > The _only_ real answer to the MITM is NTS. Sure. Cheers, Chris.
